A summary of all the news items on Compliance and Privacy
To avoid long load times news is archived periodically. If you can't find what you are looking for on this page please refer to our archives. Please use the search engine for ease of retrieval.
Main News page |
Are Smartphones Endangering Security?
Smartphones are spreading throughout the business world. Their use is growing across organisations and at all levels.
According to Gartner , sales of mobile devices in the second quarter of 2011 grew 16.5 percent year-on-year. Smartphone sales grew 74 percent year-on-year and accounted for 25 percent of overall sales in the second quarter of 2011, up from 17 percent in the second quarter of 2010.
Not only are the numbers of smartphones growing, their versatility is increasing. Where staff used to carry laptops when they went out of the office, to retrieve email and use other applications on the move, they can now carry just a smartphone.
This potentially allows them to send and receive emails, use a variety of applications, link to the company network to access data and use network-based applications, access social networking sites, and carry out online e-commerce and banking transactions.
Read the article
How to dreal with Internet security threats
Ian Kilpatrick, chairman of IT specialist Wick Hill Group, examines the range of Internet security threats faced by companies today and advises on how to protect against them.
Read the article
How the New EU Rules on Data Export Affect Companies in and Outside the EU
On 5 February 2010 the Commission of the European Union (EU) has updated
the set of standard contractual clauses for the transfer of personal data to
processors in non-EU countries. The old clauses are repealed with
effect from 15 May 2010.
Standard contractual clauses are an important instrument for companies in the EU to comply with national data protection laws if information on individuals is transferred to or accessed by organizations
outside the EU.
The EU Commission decision is relevant for all organization receiving
personal data - for example customer or employee data - from subsidiaries,
customers or vendors in the EU.
In addition, the new standard contractual clauses will also affect
companies who indirectly receive personal data that originally comes from the
EU, e.g. by providing services to companies which process EU data.
This is because the new standard contractual clauses require from companies
importing personal data from the EU to contractually impose the terms of the
clauses on any subcontractor to which they transfer personal data or grant
Read the story
Latest UK Data Leak Scandal highlights Government's use of old technology
Woking, Surrey: 4th November, 2009 - Farmers’ Weekly has reported(1) that two back up tapes, containing thousands of farmers’ bank details, have been lost by the Rural Payments Agency (RPA). Concerned whistleblowers recently leaked the story to the publication.
The Department of Environment Food and Rural Affairs (DEFRA) knew about the loss, back in May, says Farmers Weekly, and the RPA knew in September, but nothing was done to advise farmers of the risk they faced.
Quite who is responsible and how the tapes were lost is still being hotly debated with a lot of buck passing going on. According to one Farmers’ Weekly source, the tapes weren’t encrypted, as they should have been, increasing the risk.
Read the story
Saving Money With SFTP
By Ian Kilpatrick, Chairman Wick Hill Group `
Everyone is looking to cut costs in the recession, but there is one solution which many companies don't realise has the potential to save money for minimal investment and minimal disruption, which also can provide fast ROI.
A lot of organisations still have legacy systems and are happy to live with them, given the huge upheaval and potential expense which replacement would mean. But those legacy systems have some costly aspects to them, which can easily be improved and which offer the potential for savings.
FTP file transfer from legacy systems normally goes on in the background without anyone paying too much attention to it. It's the part of legacy systems which is below the surface and which gets taken for granted.
Many companies rely on FTP for file transfer, however there are a number of issues which make FTP ripe for improvement and offer companies the potential to cut costs and gain ROI. The solution to the problems of FTP is to use SFTP (secure file transfer protocol) instead.
Read the article
UK Information Commissioner targets firm selling vetting data
The Information Commissioner's Office (ICO) has taken stringent enforcement action against a business that it believes has been selling data about construction industry workers to prospective employees.
The action against the Consulting Association is further evidence of the proactive enforcement activity being adopted by the ICO. It's an interesting case study of the range of powers that the ICO has to:
- obtaining a warrant to obtain entry
- issuing enforcement notice to effectively cease using the data
- the threat of criminal sanctions because they had also failed to register with the ICO.
The impact may well be to close this business down, which is proof that the ICO is far from being a toothless tiger amongst regulators.
Read the article
12 Key steps to Internet Security
- Your approach to internet security should begin with a risk assessment. If you don't know what threats are likely to be posed to your IT systems and networks, and their potential effects on your business should they occur, then you are not really in a position to put in place a series of measures to counter these threats.
- An effective anti-virus solution is absolutely fundamental to the security of any computer network.
- Equally, a firewall is one of the most basic security mechanisms and should form an integral part of your internet security defences.
Read steps 4 - 12
An article by Renzo Marchini, Of Dechert LLP
It is widely (and incorrectly!) believed that it is unlawful in the UK in all circumstances to monitor and record telephone calls without drawing this to the attention of the parties to the call. There are in fact broad exceptions which are relevant to many businesses which do allow such activities without obtaining consent.
There are several reasons why businesses may wish to monitor or record telephone use for the purpose of its business. Often the rationale is quality control or even compliance by an employee with certain regulations, but the monitoring may also be useful for ensuring that employees are not calling friends in Australia at the businesses expense or otherwise using the system contrary to your policies. The law must however balance these goals against the need to protect employees as well as external persons from "snooping" and misuse of such data.
There are two principle legal areas of relevance; namely, the law on "interception" of communications stemming from the Regulation of Investigatory Powers Act 2000 ("RIPA") and the Data Protection Act 1998 ("DPA").
Read the Article
Firewall or Universal Threat mamnagement System, UTM
UTMs used to be the domain of smaller companies, but Ian Kilpatrick, chairman of security specialist Wick Hill Group, explains why UTMs are now a serious contender for providing firewall protection, and a whole lot more, for enterprises and larger companies.
Unified threat management systems (UTMs) have been growing in popularity for the last few years. Traditionally, they have been widely adopted by SMEs, but larger companies and enterprises are now also deploying UTMs, appreciating the benefits they can offer.
UTMs are designed to provide a range of security solutions in a single appliance, reducing costs and simplifying the whole process of security systems management, reporting and installation.
The minimum requirement for a UTM, according to IDC, is a firewall, VPN, antivirus and intrusion detection/prevention. Super UTMs (sometimes called extended UTMs or XTMs) have, however, evolved from this to incorporate additional capabilities which can include URL filtering, spam blocking and spyware protection, as well as centralised management, monitoring, and logging capabilities.
Read the Article
Information Commissioner's Office demands encryption of mobile devices
Demonstrating the increasing appetite of the Information Commissioner's Office (ICO) to take enforcement action, Virgin Media Limited is the latest organisation to be held to account for a breach of the Data Protection Act 1998 (DPA). The breach seems to have occurred earlier this year following the loss of a compact disc that was passed to Virgin Media by Carphone Warehouse. The disc contained personal details of various individuals' interest in opening a Virgin Media Account in a Carphone Warehouse store.
In this instance, the ICO has not gone straight to issuing an enforcement notice (by contrast to the treatment of the Liberal Democrat Party last week), but has instead obtained a formal undertaking requiring Virgin Media to undertake certain steps to improve its security measures. The breadth of the obligation to use encryption will surprise many organisations.
Virgin Media is required, with immediate effect, to encrypt all portable or mobile devices that store and transmit personal information. Further, the company is to ensure that any service provider processing personal information on its behalf must also use encryption software and this requirement has to be clearly stated in all contracts. We suspect that in practice not many organisations expressly state this in their contracts. Most - if they deal with security at all - will contain the generic security language contained in the seventh principle of the DPA.
Read the Article
Data loss - liability, reputation and mitigation of risk
With an increasing number of security breaches hitting the headlines, there is, unsurprisingly, a growing awareness amongst regulators and the public alike of data security issues.
The risks to businesses of being involved in a data loss incident are high. Criminal sanctions under the Data Protection Act are well established, but other regulators like the Financial Services Authority (FSA) are also willing to flex their enforcement muscles. In the last three years, the FSA has levied substantial fines against several of its members for security breaches.
Bad publicity is another potentially lethal sanction. A recent study by Ponemon showed that 31 per cent of respondents terminated their relationship with an organisation on receiving notification of a breach of data security.
Read the article
Phorm, Webwise, OIX and the BCS Security Forum
Phorm over function? Perhaps that's the challenge in relation to marketing desires clashing with privacy hopes. But given the starting point of the Phorm furore, in the Spring of 2008, we are now in the Autumn of 2008 and its been nothing but data breach after user faux pas exposing countless millions of individuals' personally identifiable information that has focussed the spotlight firmly upon the need to apply "privacy by design" principles from the outset - something that the ICO will be taking a very serious view of in the coming months. The BCS Security Forum is equally involved in keeping a watching brief.
Read the BCS Security Forum Position Paper
Are you storing customer data properly? The challenges of PCI DSS compliance
Data security breaches are hitting the headlines with alarming frequency. While the most recent breaches have involved the public sector and financial services industries, retailers are not immune from the rise of data losses. Cotton Traders, the UK leisurewear and casual clothes brand, for example, recently conceded that thousands of customer details had been stolen from the company's website. Last year saw perhaps one of the most publicised cases involving retail giant, TJ Maxx, which found that hackers had accessed internal systems used to process and store customer transaction data, including credit card, debit card, cheque and return transactions. The incident cost TJ Maxx $256 million1 and the company is now offering to pay Visa card issuers a further $40.9 million2 to compensate for costs connected to the data breach. With data security cases rising in number and severity, the various industries affected are pulling together in an attempt to reduce the risk of fraud. The Payment Card Industry Data Security Standard (PCI DSS ) is one such example which aims to crack down on fraud associated with credit and debit cards. However, the implementation of PCI DSS is not without its challenges and these must be overcome if the standard is to be used as an effective weapon in the fight against card fraud.
PCI DSS aims to prevent any information that could be used to make a counterfeit card or a fraudulent online transaction from falling into the wrong hands. The standard applies to every acquiring bank, merchant and third party that accepts or processes payment cards. It is now mandatory for businesses with over 100,000 transactions a year to either be PCI DSS compliant or be able to demonstrate plans to become so. However, there is one element of the standard which is proving to be a particular stumbling block – requirement 3: protecting the stored cardholder data. In fact, 79 per cent of PCI DSS audit failures are due to companies not implementing requirement 3 properly.
Read the Article
Data Vendor Sends SPAM aboutThe Dangers of Prospecting Databases
Today (4 September, 2008) ComplianceAndPrivacy.Com received an email that appears to be from Harris Infosource, a D&B Company. Not a lot wrong with that, you may say. The email is a cold unsolicited email, or SPAM, What makes this amusing is that the SPAM has this subject line:
"Why Using Cheap Prospect Lists Can Cost You Big!"
Harris Inforsource, it seems, are the purveyors of fine prospect lists.
Harris addressed their SPAM to Milton Bennett at our domain. If Milton existed, if Milton had ever existed, if we had ever created, used, publicised an address for Milton, who is not now and never has been a member of our staff, then this would have been something we could pass off as "just one of those things". But we have never heard of Milton Bennett. He is a figment of Harris Infosource's database. We wonder if they are selling him as a part of their very fine data.
Read the article
Bank CustomerPersonal Data Sold on eBay
An investigation is under way into how a computer containing bank customers' personal data was sold on an internet auction site.
The PC, which was reportedly sold for £35 on eBay, had sensitive information on the hard drive.
The Royal Bank of Scotland (RBS) and its subsidiary, Natwest, have confirmed their customers' details were involved.
RBS says an archiving firm told it the PC had apparently been "inappropriately sold on via a third party".
It said historical information relating to credit card applications for their bank and others had been on the machine.
The information is said to include account details and in some cases customers' signatures, mobile phone numbers and mothers' maiden names.
Read more on the BBC
Best Western Denies Report of Massive Data Breach
A Scottish newspaper Friday ran a story that claimed to uncover a massive theft of data from Best Western's customer database, including personal information on all 8 million customers at the chain's 1,300 hotels in the past year.
After initially thanking the newspaper and doing its own investigation, however, the hotel chain now says The Sunday Herald's report of a massive breach at Best Western is "grossly unsubstantiated."
In its report, The Sunday Herald stated that "a previously unknown Indian hacker successfully breached the IT defenses of the Best Western Hotel Group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia." The newspaper called the attack "the greatest cyber-heist in world history," alleging that it "scooped up the personal details of every single customer that has booked into one of Best Western's 1,312 continental hotels since 2007."
The newspaper stated that Best Western officials thanked it for discovering the breach and immediately closed the security hole by Friday afternoon. "Best Western took immediate action to disable the compromised login account in question," a hotel spokesman told the paper on Friday. "We continue to investigate the root cause of the issue, including, but not limited to, the third-party Website that has allegedly facilitated this illegal exchange of information."
Last night, however, Best Western stated that its own investigation indicates that only about 13 customers are at risk, not 8 million.
Read the denial in Dark Reading
Best Western Data Loss - Indian hacker alleged brain behind biggest cyber-heist
An unknown Indian hacker is being 'charged' with the greatest cyber-heist in history for allegedly helping a criminal gang steal identities of an estimated eight million people in a hacking raid that could ultimately net more than 2.8 billion pounds in illegal funds.
An investigation by Scotland's Sunday Herald newspaper has discovered that late on Thursday night a previously unknown Indian hacker successfully breached the IT defences of UK's Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.
There are no details yet on how the hacker was identified to be an Indian and if a probe is on to identify the person. It is also not known if the hotel chain has alerted the police about the heist.
Read the Economic Times Article
Republic of the Phillipines can’t do without policy on data privacy, security
Under no circumstances can the Philippines compete, let alone thrive, in the lucrative outsourcing market and the global marketplace without a fool-proof policy on data protection and security.
This was the clear message sent out by participants in a recent conference dubbed "Mapping the Future of Information Security Forum" organized by the Information Systems Security Society of the Philippines (ISSSP) at a hotel in Makati City.
Anthony Tuason, a director at consultancy firm PriceWaterhouseCoopers, said during his presentation that IT companies, most especially those in the BPO sector, cannot possibly institute "IT governance" — the process of using technology as to management tool to run an organization — in the workplace if security is being disregarded.
"Innovation, value, and performance can be derived from IT governance (and) data privacy and security is one area that helps organizations achieve their IT governance objectives," Tuason said.
Read the Manila Bulletin article
Vietnam introduces heavy fines for spammers
Organisations and individuals who send spam mail and text messages or trade in e-mail addresses may be fined up to VND80 million (US$5,000), according to the newly-issued Decree on Anti-spam mail.
The decree bans organi-sations and individuals from using electronic means to deliver spam messages, exchange or trade e-mail addresses or deliver software products that collect e-mail addresses, according to the Ministry of Information and Communications.
Read the Viet Nam News article
National Gateway Security Survey 2008 Shows Interesting Changes in Threat Landscape
- Strong move towards remote and mobile use.
- Securing the network from external attack is top priority.
- The focus for IT security is on external threat rather than internal threat. This is at variance with the threat risks most organisations face.
- Green issues considered important, but that is not yet translating into purchasing IT security
- Conditions right for UTM growth
- Users' purchasing decisions show IT security is not commoditised.
- Wireless and VoIP increasing
Read the article
Unified Threat Management (UTM) - Watchguard Technologies
Unified threat management (UTM) spawned a new era of IT security. The promise of these integrated security appliances proved to be an exceptional and efficient way of securing commercial networks. However, businesses today face an inflection point, dictated by changing market trends and new technologies that demand more of today’s UTM. Hence the need is for eXtensible threat management (XTM) solutions, the next generation of UTM appliances. XTM is predicated upon the substantive expansion of three elements: more security, greater networking capabilities, and more management flexibility. This paper provides an overview of these issues and the WatchGuard® Technologies perspective on “extensibility” and XTM.
Read the article
Trust is not about SSL. It's about Top Level Domains
At ComplianceAndPrivacy we've been running a study on domains to trust. We don't mean "trustmydomain.com", we mean the thing most people call the 'domain suffix' but is really the 'Top Level Domain'; the little thing that you choose when buying "myfabulousdomain".
Do you choose .com, or do you think, incorrectly "That is for the USA"? Do you choose .biz? Is .org for you? What about .info?
So we asked, on a pretty normal website, this question: "Some domains seem to feel more trustworthy than others. This survey is about the .com .biz .info .org and other domain suffixes and which put you most at ease. OK, there are iffy nations, but we are lumping all national style ones under one entry. Tick all that say to you 'Trust this domain'"
We expected nothing significant. After all it was a website for Joe Q Public, and this is what we got:
Read the Article
How Centralised Unified Threat Management (UTM) Can Help Companies Control Security At Remote Offices, Simplify Administration And Cut Costs
- In today's distributed computing environment, it is becoming increasingly important to control security at remote locations from the centre.
- Companies such as WatchGuard are now providing unified threat management (UTM) solutions with strong centralised control.
- The problems when centralised control is not strong include -
- difficulty implementing company security policies across the whole network
- no clear visibility of what is happening across the network
- branches failing to carry out all security updates and procedures
- difficulty in providing audit logs
- lack of availability of skilled staff at remote sites
- higher costs to support remote sites.
- Looks at the centralised management features provided by WatchGuard in its UTM solutions, which give tight, centralised control of security across the network.
- Features include drag and drop VPN tunnel creation; and an easy to use real time monitoring system with clear, intuitive graphical interface
- Two typical scenarios of how a unified threat management system with centralised control makes controlling remote security easier and more cost-effective.
Read the article
Mobile and Remote Working - Is it secure?
By Ian Kilpatrick, chairman of Wick Hill Group, specialists in secure infrastructure solutions
- Unstoppable move towards remote and mobile working
- Mobile working is not adequately secured.
- Organisations are concerned about security for mobile and remote workers and how to enforce company security policies outside the gateway.
- Companies want to protect against data leakage and data loss from such problems as stolen laptops.
- There is no one solution to securing remote working.
- The range of solutions includes strong authentication, end point security, remote unified threat management (UTM) systems, low-cost encryption and VPNs.
Read the article
GrierOlubi and Bentleys - Individual solicitiors convicted for data protection offences
The Information Commissioner’s Office (ICO) has today successfully prosecuted two London solicitors for offences under the Data Protection Act. Olubi Adejobi of Grier Olubi Solicitors and Robert Bentley of Bentley’s Solicitors, both based in London, were each fined £300 and ordered to pay costs of £500 plus a victims’ surcharge of £15 at Stratford Magistrates’ Court. Each solicitor must pay a total of £815 in fines and costs.
Today’s prosecution follows the failure of both Mr Adejobi and Mr Bentley to notify as data controllers despite repeated reminders from the ICO of their obligations under the Data Protection Act.
Under the Act, organisations that process individuals’ personal information may be required to notify with the Information Commissioner at a nominal cost of £35 per year. Despite being told to notify, both Mr Adejobi and Mr Bentley have failed to respond to any of the ICO’s correspondence and have still not notified.
Read the article
ADC Organisation prosecuted for data protection offences
ICO prosecutes debt company for breaching marketing rules
A Manchester debt recovery company has been successfully prosecuted by the Information Commissioner’s Office (ICO) for bombarding individuals and businesses with unwanted faxes. The action follows thousands of complaints from individuals and businesses to the ICO and the Fax Preference Service (FPS).
ADC Organisation Ltd (ADC) pleaded guilty to six charges under the Privacy and Electronic Communications Regulations and has been fined £600 (£100 per charge). The organisation was also ordered to pay £1,926.25 in costs. ADC must pay a total of £2,526.25 in fines and costs.
Read the article
ICO takes enforcement action against Marks & Spencer
M&S ordered to encrypt all hard drives by April 2008
The Information Commissioner's Office (ICO) has found Marks & Spencer (M&S) in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees.
An ICO investigation revealed that the laptop, which contained details of the pension arrangements of M&S employees, was stolen from the home of an M&S contractor. In light of the nature of the information contained on the laptop, it is the ICO's view that M&S should have had appropriate encryption measures in place to keep the data secure.
Mick Gorrill, Assistant Commissioner at the ICO, said: "It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption. The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.
“Organisations which process personal information must ensure that information is secure – this is an important principle of the Act. If organisations fail to introduce safeguards to protect information they risk losing the trust and confidence of both employees and customers.”
read the article
Bereaved man sickened by marketing 'breach'
A consultant in data privacy has slammed a crematorium for its "tasteless" posting of marketing material, claiming that it broke the law.
Tim Trent, 55, cremated his mum Connie at North East Surrey Crematorium last November and thought that would be the end of the matter.
But three days later, he was stunned to find a glossy brochure on his doormat, advertising memorials, plaques, flowers and other services offered by the crematorium.
Mr Trent said: "It hit me in the face like a sledgehammer. We had a really good send-off for my mother, and thought that chapter of our life was closed. I didn't expect this at all, so it was gloriously distasteful."
Read the Wimbledon Guardian article
European Data Protection Supervisor condemns data protection legislation
The European Data Protection Supervisor (EDPS) has condemned the inability of existing legislation to protect citizens against practices and proposals that amount to the creation of a state-sponsored surveillance society.
EDPS Peter Hustin called on the European Parliament to pass primary legislation to define and protect personal data. He also asked for specific laws to protect such data from abuse under new data collection and exchange proposals from law enforcement agencies.
He said agencies that collect, process and store the data should provide information that would allow individuals to modify their behaviour to avoid being "profiled" and to obtain redress for errors and abuses.
The recommendations were part of three opinions that the EDPS issued in December. The opinions are his response to practices and proposals related to the fight against terrorism and organised crime. Many of them have arisen since 9/11.
Read the Computer Weekly story
FBI eyes British identity data
The US Federal Bureau of Investigation is seeking British co-operation in setting up an internationally accessible biometric database of known and suspected criminals and terrorists.
Read the Computer Weekly story
Dam Data Leakage at Source
Ian Kilpatrick, chairman of Wick Hill Group, looks at damming data leakage at source.
- Computer networks have become increasingly open and accessible by more and more users. Huge growth in the use of mobile, wireless and remote computing
- These changes in computer networks have left confidential data at risk of being seen by those unauthorised to view it.
- Those wanting to view data without permission include employees and those outside an organisation. The motive may be non-malicious, or malicious, or criminal.
- Laptops are particularly vulnerable to data loss or theft, with laptop losses reported ever more frequently.
- Losing data damages a company's reputation, puts them in breach of the Data Protection Act and may by very costly, including the possibility of being fined.
- If sensitive information, such as financial details, is lost, it may leave customers or staff exposed to identify theft.
- Currently, the protection of data is mainly inadequate. Because of the rapidly changing structure of computer networks, companies should review the way they protect the security of data.
- The highest risk areas for losing data are through email, through remote access and through laptop use.
- Encryption is the best way to secure data. It is now both easy-to-use and low cost.
- Encryption technology is now moving towards Unified Encryption Management (UEM), which means that encryption is centrally managed throughout an organisation, including for office based systems, mobile and remote access.
Read the article
UK Information Commissioner does not regulate BlueSpam
Following discussions with the Department of Business, Enterprise and Regulatory Reform and others the Information Commissioner’s Office has amended its guidance on the Privacy and Electronic Communications Regulations 2003. The guidance previously stated that marketing messages sent using Bluetooth technology would be subject to PECR rules relating to the sending of unsolicited marketing.
Read the article
Flash mobs - the next online threat
Estonia has one of the most technologically advanced populations in Europe. Events in the last few months, though, have perhaps given the rest of Europe a taste of what might be the next real threat on the internet, flash mobbing.
Flash mobbing is where a group of people meet online to coordinate attacks on an organisation either by their physical presence (such as everyone turning up at one furniture shop) or online. Common attacks include sending emails to the same website at the same time or using the website for mass queries with the aim of taking the server down.
Flash mobbing has been headline news in Estonia as its government uses technology extensively, for example allowing widespread use of e-voting in the last elections. The government's servers were attacked in the summer by a flash mob thought to have had connections with neighbouring Russia.
According to a report in vnunet.com, protestors created tools designed to damage government servers, and then publicised the attack and their tools so that people could join them in the attack. Already we have seen these same techniques used to attack companies, individuals (such as the former UK TV personality Keith Chegwin) and political figures (including the former UK Prime Minister Tony Blair).
Read the article
Thales's Mobile VPN Solution Secures the Use of Public Wireless Networks
SafeMove ® Mobile VPN solution makes it easier and safer to use hotel broadband networks and Wi-Fi hotspot networks
Thales, a leading supplier of IT security products and solutions for all critical infrastructures , today (4 October 2007) announced a new version of its SafeMove Mobile VPN solution incorporating an innovative Hotspot Login Assistant. The enhancement makes untrusted public networks easier and much safer for users who require remote access to corporate networks. The Hotspot Login Assistant feature makes Thales's SafeMove the leading remote access solution, truly addressing all security dimensions, including critical human factor issues.
According to the latest figures from the Office of National Statistics, the number of people in the UK who work mainly from home doubled between 1997 and 2005 to 2.4 million workers. Supporting the desire for increasing levels of flexibility, the number of workers using multiple locations experienced the strongest growth, accounting for 6 per cent of all workers in 2005. These statistics reflect a worldwide trend that supports the need for advanced security solutions, such as SafeMove, to safeguard the information of companies and individuals wishing to access private data and applications from a variety of locations.
read the article
Thales SafeSign packages revolutionise delivery of identity management and authentication pilot schemes
Thales offers its award-winning end-to-end strong authentication solution, SafeSign, in a range of pilot packages for enhanced ease of installation and configuration
Thales today (1 October 2007) announces that it is launching individually packaged pilot versions of its market-leading identity management and authentication solution, SafeSign. This innovation enables enterprises such as banks and government agencies to assess the value of a solution against their specific business needs in a faster and more cost-effective manner. By using a SafeSign pilot package, organisations can have the solution operational in under 20 minutes, revolutionising the pilot phase and saving valuable project time.
Read the article
ICO takes action against unsolicited faxes
The Information Commissioner’s Office (ICO) has ordered two debt recovery companies to stop sending unwanted faxes to individuals and businesses. This action has been brought under the Privacy and Electronic Communication Regulations (PECR) following hundreds of complaints from individuals and businesses to the ICO and the Fax Preference Service.
The ICO has issued Enforcement Notices against Clear Debt Solutions and ADC Organisation Ltd after both companies repeatedly sent unwanted marketing faxes to individuals and companies who were registered with the Fax Preference Service or who had not given consent to receiving such faxes.
Read the article
Dechert - Bluespam - Is It Legal?
"Bluespam: Is it legal?" examines whether so called bluespam falls within the restrictions imposed by the Privacy and Electronic Communications Directive and whether organisations can therefore be prevented from marketing via bluetooth without first obtaining consent. It also considers the practicality of obtaining consent from bluetooth users and discusses the options for Bluetooth users who do not wish to receive bluespam.
Read the article
Ponemon Institute Examines Security Risk Posed by Off-Network, Data-Bearing Equipment
Study Finds Vast Majority of Data Breaches Involve Unprotected Confidential Information on Off-Network Devices
On August 7, financial services firm Merrill Lynch reported the theft of a laptop computer from its New Jersey corporate office – a computer containing sensitive personal and financial information, including Social Security numbers, for 33,000 of its employees. Such breaches of confidential information have become routine news for one simple reason: though sparing no expense to guard the security of their networks, corporations often fail to protect data on devices that are disconnected from the network.
According to a new study by the Ponemon Institute, 73 percent of corporations experienced the loss or theft of a data-bearing asset in the last 24 months, yet those same organizations report limited efforts to manage this vulnerability. The new Ponemon report, National Survey: The Insecurity of Off-Network Security, will be discussed in detail today [22 August 2007] by study author Dr. Larry Ponemon, founder and chairman, Ponemon Institute, and study sponsor, Robert Houghton, president, Redemtech, during the Privacy Symposium at Harvard University
Read the article
Romanian Scammers hit TradeMe Milestone
The criminal group responsible for numerous phishing scams on TradeMe hit a milestone on Saturday August 18th, 2007. Internet watchdog group ScamBusters reports that the number of hijacked TradeMe accounts used by a Romanian gang to place fraudulent listings on the site in the past eighteen months has now reached a total of one thousand.
“That's a lot of compromised accounts” says spokesman Alf West. “And they're only the ones that we've recorded. These criminals have many more accounts waiting in the wings, ready to use.”
ScamBuster Peter Andersen has been collating the hijacked accounts and auctions. “The thousand TradeMe user accounts identified as being hacked in the past eighteen months have been used to run 3,391 fraudulent auctions” he says, “all for non-existent items.”
Read the article
MiFID – Outsourcing continues to be an issue
A recent survey by City law firm Field Fisher Waterhouse has indicated that a significant percentage of outsourcing agreements signed by MiFID-impacted firms still fail to comply with the basic requirements of the directive. Whereas other regulations such as Basel II and Sarbox impact outsourcing by extrapolation of their rulings, MiFID is different in that is specifically refers to outsourcing and makes demands on outsourcing contracts, requires actions of supervisors and differentiates according to where the outsourcing service is located.
The overall impact will be to require substantial re-writing of existing outsourcing contracts and potentially brings the outsourcing vendors into the supervision of national regulators. This was recognised by the UK's Financial Services Authority who released specific guidance in May, see Chase Cooper News of 17th May .
Read the Chase Cooper article
Wi-Fi SideJacking opens eyes at BlackHat
During a recent presentation at BlackHat, Errata Security raised a few eyebrows by showing a pair of point-and-click "SideJacking" tools dubbed Ferret and Hamster . The approach taken by Hamster—web session cookie cloning—is not particularly new.
However, by exploiting live BlackHat user traffic to gain access to attendees' GMail accounts, presenter Robert Graham made the threat posed by SideJacking perfectly clear:
The next time you use an open Wi-Fi hotspot to access a vulnerable website, you may not be alone.
SideJacking is the process of sniffing web cookies, then replaying them to clone another user's web session. Using a cloned web session, the jacker can exploit the victim's previously-established site access to change passwords, post mail messages, download files, or take any other action offered by that website.
Unlike some better-known HTTP attacks, SideJacking isn't about stealing logins or disruptively taking over the victim's session. It's about transparently sharing authorized site access with a legitimate user, after that user has already logged in.
Read the WiFi Planet article
Website rules for AIM companies
All companies listed on the AIM market have until 20 August 2007 to comply with regulations requiring detailed information to be included on their website. AIM is the London Stock Exchange's market for smaller growing companies.
According to a recent survey carried out by Investis, only six of the top 100 AIM companies' websites currently achieve full compliance with these regulations. The Investis research reveals that less than one-third of the companies surveyed achieved a compliance score of over 50%, with one company not even having a website. More information on the survey can be found at the Investis website.
The specific regulation is Rule 26 of the London Stock Exchange AIM Rules for Companies, issued in February 2007. A copy of these rules is available via the London Stock Exchange website.
Read the article
MiFiD: 50% say regulators slipping on guidance
With less than 100 days before the 1 November deadline many financial services firms are unhappy with the support they are receiving from their national regulators as they prepare for the Markets in Financial Instruments Directive, found a survey by SunGard and TradeTech. Half the 300 respondents stated that their national regulators were either “bad” (32%) or “very bad” (19%) in helping them to get ready for the directive.
In the UK, respondents were divided on whether the Financial Services Authority's minimal guidance, principles-based approach to MiFID was a good one – only 54% believed that this is “the best approach to prevent regulatory overload”, with the remaining respondents stating that this approach “makes it difficult to understand exactly what requirements the FSA desires, adding to the compliance task”.
The survey showed an overall increase in MiFID readiness – 53% of respondents now believe their preparations for the directive are “ahead” or “right-on-track”, compared with just 34% in September 2006. However, opinions are still divided on whether MiFID will have a positive impact. The majority (54%) of institutions surveyed state that they see MiFID as just “another piece of compliance”. In addition, only 42% of respondents believe that MiFID will be good for Europe's economy in the next 5 – 10 years, with over a third still undecided.
Read the Banking Technology article
The Coalition Against Domain Name Abuse to Combat Cybersquatting
The Coalition Against Domain Name Abuse (CADNA) is announcing the launch of its national campaign against Internet fraud. A non-profit organization based in Washington D.C., CADNA is leading the way in confronting cybersquatting – the fraudulent abuse of domain name registration that threatens the future viability of Internet commerce.
Although the Anti-Cybersquatting Consumer Protection Act (ACPA) was introduced in 1999, cybersquatting remains an underestimated threat. The number of .com domain names alone has doubled since 2003, and the number of cybersquatting disputes being filed with the World Intellectual Property Organization (WIPO) is on the rise – up 25% in 2006 from 2005. According to a recent independent report, cybersquatting increased by 248% in the past year.
With growing ease and profitability, sophisticated cybersquatters are exploiting a flaw in the domain name registration process whereby domain names are registered and subsequently dropped, risk free, within an accepted 5-day grace period. By abusing this grace period, cybersquatters “taste” and “kite” domain names in order to test their profitability. According to a recent industry report, there are over 1 million kited sites re-registered daily, collectively bringing in $100-125 million in annual revenue for criminals and profiteers. On the whole, cybersquatting is costing brand owners worldwide well over $1 billion every year as a result of diverted sales, the loss of hard-earned trust and goodwill, and the increasing enforcement expense of protecting consumers from Internet-based fraud.
Cybersquatters' increasing assault on intellectual property hurts everyone involved, including consumers and the Internet community at large. By registering domain names derived from famous brands, cybersquatters are able to successfully lure consumers into purchasing counterfeit products (including potentially harmful counterfeit prescription drugs), giving away their personal information (which could lead to further financial loss) and unwittingly exposing themselves to spyware deposits. According to the International AntiCounterfeiting Coalition (IACC), $600 billion was spent online for counterfeits in 2006. Phishing, a fraud enabled by cybersquatting, is also growing at an alarming rate. The Internet Crime Complaint Center, a partnership of the National White Collar Crime Center and the Federal Bureau of Investigation, found that consumers in the U.S. reported personal losses of $198.44 million to phishing in 2006.
read the article
Newcastle City Council accidentally releases credit card details to accessible system
Newcastle City Council has said it accidentally put 54,000 credit- and debit-card details on a computer system that could be accessed externally.
The council has today admitted it inappropriately released up to 54,000 credit- and debit-card details covering transactions between February 2006 and April 2007, covering payments to the council including council tax, business rates, parking fines, and rent payments.
read more in Computer Weekly
Monster Worldwide Hardens Its Web Security with Cyveillance
Cyveillance , a global leader in cyber intelligence, today announced that Monster ® , the leading global online career and recruitment resource and flagship brand of Monster Worldwide, Inc. (NASDAQ:MNST), has selected Cyveillance to help further protect its customers from potential online fraud. Under the agreement, Cyveillance will also provide Monster with brand identity protection in addition to user privacy and anti-phishing services.
“Enhancing Monster' s defenses against phishing and other online fraud is a top priority,” said Patrick W. Manzo, vice president, Compliance and Fraud Prevention, Monster North America. "Cyveillance ' s proactive cyber intelligence will help Monster provide our customers with an even safer environment to conduct their online career development and recruiting activities."
Read the article
Reg NMS and MiFid...Together Forever?
Is there a possibility that MiFid and Reg NMS could one day be accepted by regulators on both sides of the Atlantic as being equivalent?
While financial services firms in the U.S. have been gearing up this year for the full implementation of Reg NMS, companies in Europe have been preparing for MiFid. (Well, actually only 8 of the 27 EU member states have so far implemented the legislation into their domestic law.)
Now, the head of the Centre for European Policy Studies (CEPS) is urging the European Commission to look into the similarities and differences between MiFid and Reg NMS.
Karel Lannoo, chief executive of CEPS, says both pieces of legislation came into effect at around the same time, and both are aimed at "updating regulation to reflect technological changes and market developments."
Read the Wall Street Technology article
More investment managers using web for reports
Investment managers are increasingly delivering client reports online, according to research by Rhyme Systems, an asset management services company.
A survey of managers at a Rhyme Systems workshop shows there is a growing trend towards web delivery and a need for greater reporting flexibility to accommodate changing client needs.
The research also suggests all client reports might need to be bespoke but raises questions about how to charge the cost to the customer. However, most firms surveyed do not measure the cost of producing individual client reports.
There is also a trend towards integrating client reports across a business rather than using a separate service.
Read the IFA Onoine article
Italy Arrests 26 for Phishing
Italian authorities are bringing charges in a scam involving fraudulent e-mail to bank customers.
Italy has become the latest country to clamp down on phishing, with authorities there arresting 26 people for an alleged scam to swindle bank customers.
According to a statement by one of those arrested, the scam involved sending fraudulent e-mails that appeared to come from Poste Italiane, the country's postal operator, which also offers bank accounts, insurance and loans, according to a news release (in Italian) from the Guardia di Finanza, which handles financial crimes.
The e-mails urged victims to hand over sensitive financial information, which was then used to draw money from their accounts, the finance authority said. Eighteen of those arrested are Italian citizens, with the remainder from Eastern European countries.
Read the PC World article
SSL certificates gone wild
By using so-called "Wildcard" certs, you can save a few headaches and a pile of money. Experts discuss the implications for virtualization as well as the potential risks
"Where Wildcard certs have value is for anyone who is hosting multiple servers or server instances on one platform," said Quin. "Why this is becoming valuable at this point in time is because of the growing popularity of virtualization – as I virtualize I put more instances on one physical device and therefore I can now validate the trust of all of those instances with a single certificate."
But SSL is not about providing security; rather, it's about validating trust. While it creates a secure channel of communications between the user and end-point server, it has nothing to do with security on the server itself.
Read the Canadian Technology News article
CEOs urged to raise their game following unacceptable privacy breaches
The Information Commissioner is today calling on UK chief executives to take the security of employees’ and customers’ personal information more seriously. His call follows a number of unacceptable security breaches over the last year, involving leading names such as Orange and several high street banks.
Speaking at the launch of his annual report in London, Richard Thomas, the Information Commissioner, said: ‘Over the last year we have seen far too many careless and inexcusable breaches of people’s personal information. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying.
‘How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?’
The Information Commissioner added: ‘Business and public sector leaders must take their data protection obligations more seriously. The majority of organisations process personal information appropriately – but privacy must be given more priority in every UK boardroom. Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers.’
Read the article
ICO launches new data protection strategy
The Information Commissioner’s Office (ICO) is launching a consultation on its new Data Protection Strategy which sets out how the ICO intends to go about its task of minimising data protection risk. The strategy, launched at the Privacy Laws & Business 20th annual conference in Cambridge on Monday 2 July, is concerned with maximising ICO’s long term effectiveness in bringing about good practice. It explains how the ICO will focus its data protection resources on situations where there is the greatest risk of harm through improper use of personal information.
Launching the strategy, David Smith, Deputy Commissioner,said: ‘Our vision is of a society where respect for personal information is guaranteed. A society where organisations inspire trust by meeting reasonable expectations of integrity, security and fairness in the collection and use of personal information. A society where individuals understand how their information is used and are aware of their rights and are confident in using them. Our strategy is all about turning this vision into a reality’
Read the article
ICO takes action against cold callers
The Information Commissioner’s Office has required two organisations to sign formal undertakings to stop making unsolicited marketing calls to individuals. This is a legal agreement that demands a firm commitment to the Privacy and Electronic Communications Regulations.
Satellite Direct UK Ltd and Satcover Ltd, both of Hove, East Sussex, were found in breach of the Privacy and Electronic Communications Regulations after making unsolicited marketing calls to individuals using an automated calling system. The organisations were also telephoning individuals for direct marketing purposes who had expressly told the companies they did not wish to be contacted or who have registered with the Telephone Preference Service.
Read the article
New Research Reveals Consumers Delay 34+ Hours Between the Click and the Purchase
A new ScanAlert research report, revealed exclusively to MarketingSherpa for publication this morning, shows that consumers now delay on average 34 hours and 19 minutes from the time they first click to an ecommerce site and when they finally buy something there.
So, any marketer who measures conversions solely by click-to-immediate-sale is blind to the vast majority of his or her success.
But, the bigger news broken in this report is stunning trend data. You see, back in 2005 when the study was conducted for the first time, consumers took an average of 19 hours to covert. Over the past two years, that delay time has risen by 80%. So, more consumer comfort in shopping online equals *longer* conversion cycles. That's something I don't think any of us ever predicted would happen.
read Marketing Sherpa's exclusive article
Security professionals back data disclosure
Security professionals back a European directive which requires companies to inform customers and regulators of data security breaches.
The European Commission is expected to pass such a directive this year, although it may take years for the UK to adopt it into law.
This means consumers here will have less protection than consumers in a growing number of US states already, when it comes to data breach disclosure.
A survey by database security firm Secerno shows that 77% of IT security professionals back a UK data breach disclosure law. A recent Ipsos MORI poll found that 82% of UK consumers expect to be notified immediately if there has been a security breach.
Read the Computer Weekly article
Authentication - A Market Update
- Breakdown of network security perimeter. Growth in number of devices wanting to access company networks. Increasing number of remote users and laptops. Users want to access more and more different applications.
- Traditional passwords unsuited to this situation. UK lagging behind in developing suitable access management for current situation.
- Description of types of authentication
- weak single factor
- strong authentication
- two factor authentication
- three factor authentication
- single sign on
- Remote, mobile and wireless security. How to deal with this particular risk. Strong 2-factor authentication. SSL VPNs. Limitations of wireless standards. MAC filtering
Read the article by Ian Kilpatrick of Wick Hill
Thales launches end-to-end security consultancy service for compliance with UK's Faster Payments Scheme
Financial institutions involved in ‘second wave' of compliance will require specialist security consultancy and products to mitigate increased security risks
Thales has announced the launch of an end-to-end security solution for Faster Payments aimed at mid-tier banks and corporate treasury departments. Many of these organisations will be considering how to meet the Faster Payments regulation after the 13 member banks go live in the ‘first wave' of compliance in November.
Thales' end-to-end security service, covering physical, technical, human and organisational security, will be essential if financial institutions and treasury departments are to mitigate the increased security risks associated with the Faster Payments scheme.
The Faster Payments process will initially enable funds of up to £10,000 for internet and phone banking to be transferred in a matter of seconds and for funds of up to £100,000 to be transferred before 06.00 am on the due day of standing orders. While the benefits for consumers are obvious, it will also allow fraudsters to move funds from account to account and convert these funds into cash or goods within a couple of hours. As a result, the security risk profile of transactions using the Faster Payments platform is significantly altered, making it a potentially higher value target. It is therefore likely that the Faster Payments environment will face increased scrutiny by organised crime, with future attacks exploiting a blend of external and internal vulnerabilities.
Read the article
Tentative EU-US Deal on SWIFT Data
European Union governments have reached a tentative deal with the United States clarifying how it will use data it receives from Belgian-based bank transfer consortium SWIFT in anti-terror investigations, diplomats said Wednesday.
The deal is aimed at ending a trans-Atlantic battle on privacy rights in the hunt for terrorists, and would close a legal black hole over the status of a data transfer deal SWIFT signed with U.S. authorities after the Sept. 11, 2001, attacks.
The new draft agreement would bind the U.S. to use SWIFT data strictly in anti-terror investigations, the diplomats said on condition of anonymity due to the sensitivity of the talks.
Other uses of the data would have to meet conditions set by European data protection officials, they said.
The deal was being finalized as part of an exchange of letters between Washington and EU government envoys in Brussels. The draft was approved Wednesday by EU nations, and was expected to receive final approval Thursday.
Read the full Houston Chronicle article